Continuous Monitoring and Continuous Auditing with IT-assisted tools 12 / 2017 The Board of Audit & Inspection of Korea Gim Namjin Table of Contents Part 1. Introduction 1 1. Research Background 1 2. Introduction to IT Audits 6 Part 2. Government’s Audit and Reporting in the U.S. 10 1. who audits 3 2. Government Audit Reporting(“Yellow Book”-GAGAS) 16 Part 3. Continuous Auditing and Continuous Monitoring 28 1. Defining Continuous Auditing 28 2. Differentiating Continuous Auditing from Continuous Monitoring 37 3. The needs of CA/CM 43 4. Skills Required 44 5. Barriers to CM and CA adoption 47 Part 4. Continuous Monitoring Software Tools 49 1. IT Audit Tools Requirement 49 2. Usefulness of CAATs 49 3. Use of Computer-assisted Audit Technique(CAATs) 52 4. Various IT audit tools 56 Part 5. Case studies 60 1. Application of ACL 60 2. Application CaseWare tool 72 3. Government auditing report: using ACL 79 4. Application of BAI audit tool 88 Part 6. Policy suggestions 94 1. Practice of BAI audits 94 2. Policy Recommendation 95 Part 7. Final opinion 98 【Figure】 No contents page Areas covered by the principles for public-sector 1 9 auditing 2 Flowchart of General Audit Operating Process 61 3 The capability of CaseWare Monitor 74 4 Flowchart of Local Audit Process 82 【Tables】 No contents page Areas covered by the principles for public-sector 1 2 auditing Continuous Auditing versus Continuous 2 40 Monitoring 3 Use of Computer-assisted Audit Technique 55 【Appendixes】 No contents page 1 Understanding audits of BAI 3 2 Understanding Financial Audit in the US 8 Federal government organization and financial 3 12 statement reporting flow 4 Issuing the independent auditor reports 23 FY2015 US. Federal Government Combined 5 25 Financial Statements 6 Survey of best suiting area and drivers 45 < 국외훈련 개요> 1. 훈련국 : 미국 2. 훈련기관명 : CKP회계법인(Choi, Kim & Park, LLP) 3. 훈련분야 : 감사원 IT감사 방법론 4. 훈련기간 : 2015. 12. 7. ～ 2017. 12. 6. 5. 훈련기관 소개 ○ 인터넷 웹주소 : http://www.ckpcpas.com ○ 대표회계사 : Hoon, Kim([email protected]) ○ 주소 : 2010 Main St., Suite 520 Irvine, CA 92614 ○ 전화/팩스 : (TEL) 949-757-0900/(FAX) 949-757-0668 ○ 조직 : CKP는 미국내 8개 office(*)를 보유한 한국계 최대 회계법인 으로, 미국 5대 회계법인 McGladrey의 member법인 (*) 캘리포니아주 Los Angeles, San Jose, Irvine, San Diego 등 4개, 알라바마주 Montgomery, 조지아주 La Grange, 뉴저지주 Fort Lee, 텍사스주 Houston ○ 주요업무 - 민간 및 공공부문의 재무제표 감사, 세무 및 컨설팅 - 이전가격 및 사전 가격합의서비스 - 자금조달․신용구축자문, 사업체 가치평가 및 M&A서비스 - Single audit, Compliance audit 및 기타 정부관련 회계서비스 Part 1. Introduction 1. Research Background In the beginning of 2014, the Korean Supreme Audit Institution(SAI), The Board of Audit and Inspection of Korean government(BAI) stressed that BAI should change and develop itself to fulfill its primary missions to protect wrongdoings and frauds in the public sector by adopting an Advanced Information Audit system(IT audit). So the head of BAI set up the new Information audit bereau in the BAI to meet the new challenges that these times require. However, there were two big and massive governmental-wide negligence of duty and fraudulent public money misuse in a couple years such as “Sewol-ho ferry sinking 2014”, and “the president Park’s governmental wrongdoings and her impeachment case 2017” that made political and socioeconomic shocks to the Korean citizens. This research background is placed on the basis of limitation of BAI audit that conducting mostly after bad things happenings, not so much predetective and effective to detect fraud. Also the auditees are appeal to the audit fatigue to the BAI that conducts audit ineffectively such as heavy material documentation preparing and unsettlement of audit results. So that I conducted this research to get the notice of IT audit schema and effective IT audit tools that useful in public sector. The table 1. shows the range of public sector and the major characters in the public sector auditings following by INTOSAI(International Organization of Supreme Audit Institutions). - 1 - [Table 1] Areas covered by the principles for public-sector auditing General Principles Professional Ethics & Independence judgement, due care Quality control qAudit team management & Scapticism & skills Audit risk Materiality Documentation Communication Principles related to the audit Peocess Planning the audit Conducting the audit Reporting & Follow up ․Established the terms of the ․Perform the planned audit audit ․Prepare a report based on the procedures to obtain audit ․Obtain understanding conclusions reached ⇒ evidence ⇒ ․Conduct risk assessment or problem analysis ․Follow up on reported matters ․Evaluate audit evidence and ․Identity risks of frauds as relevant draw conclusions ․Develop an audit plan * INTOSAI ISSAI-100, "Fundamental Principles of Public-Sector Auditing" 2014 - 2 - Appendix 1 Understanding audits of BAI The BAI performs audits to ensure that the taxpayer money is being expended properly, and conducts inspections of government agencies and their employees to assure that their duties are being performed appropriately. 1. Major missions (1) Verification of accounts (Article 99 of the Constitution; Article 21 of the BAI Act) BAI examines the final accounts of the state and verifies that the nation’s resources have been spent wisely to benefit the public. To this end, the Minister of Strategy and Finance writes up the final accounts which include the budgets implemented by all the government agencies, and submits the report to BAI. Then, BAI examines the report meticulously to ensure that the account totals and the actual amount spent are balanced. After BAI has examined the final accounts, the Minister of Strategy and Finance presents the report to the National Assembly on May 31st of the following year. (2) Financial audit (Articles 22 & 23 of the BAI Act) BAI audits the central government, local autonomies and public institutions to ensure that the budget which comes from taxpayer money is being used properly for the nation and its citizens. BAI also scrutinizes the budgets to examine whether or not public - 3 - servants, through willful intent or negligence, are reckless in conducting projects that waste public money. BAI, in accordance with the BAI Act, must audit 34,300 central and local governments as well as other institutions. Furthermore, there are an additional 30,000 institutions which BAI can audit when necessary or at the Prime Minister’s request. (3) Inspection (Article 24 of the BAI Act) Apart from audit, BAI carries out inspection to ensure that the work of government agencies, local autonomies and public institutions and the performance of their employees are being carried out according to the law and principles. just as financial audit is examination of an auditee’s finance, inspection is examination of public employees’ performance to ensure that they are doing their work properly. Should government employees break the law or work in an illegal manner, they will face consequences, such as disciplinary action, in order to set the situation right. BAI also works to correct and improve any irrational laws or systems as well as cumbersome administrative procedures. 2. Types of audit There are four kinds of audits: (1) Financial audit When conducting financial audit, the focus is on analyzing and evaluating the use and management of finances of the auditee and on providing recommendations for improvement. Financial audits are - 4 - conducted on a regular basis to ensure sound and efficient use of financial resources, and also to provide useful information and analysis to the people and the National Assembly. (2) Management audit The purpose of this audit is to conduct a comprehensive analysis and evaluation of the management of the organization, human resources and budget to ensure that the auditee is carrying out its functions and duties properly. This is to ensure that the work regarding budget proceeds both appropriately and lawfully. Through this process, the audit covers the entire management and thereby contributes to enhancing the transparency and efficiency of the organization. (3) Performance audit By conducting a systematic diagnosis and analysis of the problems, whether regarding major policies, projects, systems or management, comprehensive and fundamental recommendations for improvement can be made. This audit provides the support needed to ensure that major policies, measures and projects can be carried out smoothly for optimum results. (4) Special audit The purpose of special audit is to examine important social and economic issues or matters for which the people or the National Assembly have requested an audit. This type of audit is to be used in a flexible and timely manner as needed. The focus of BAI’ audits are on the nonfinancial audits, roughly, that of 80%. So is under 20% of the pure financial audit. - 5 - 2. Introduction to IT Audits Government entities have increasingly adopted Information and Communication Technologies(ICT) to conduct their functions and deliver various services. Such ICT based systems are commonly, also, referred to as Information Systems(IS) or Information Technology(IT) Systems. Supreme Audit Institutions(SAIs) are mandated to audit the Government and their entities as per their respective audit mandate. SAIs, thus, promote the efficiency, accountability, effectiveness and transparency of public administration. The continuous development of Information and Communication Technology has made it possible to capture, store, process and deliver information electronically. This transition to electronic processing has triggered a significant change in the environment in which